njrat | 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

General

Target

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
Size

863KB
MD5

c83a8098ded06f15dc4bdbafc09f4ecf
SHA1

3c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA256

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512

522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
SSDEEP

24576:TRmJkcoQricOIQxiZY1iaEtmUJ9tiO3BXB:gJZoQrbTFZY1iayJ933lB

Score

10^/10

njrat bot evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bot

C2

drazmatik56.no-ip.org:1604

Mutex

5364b242e8892a314b968229a5ceac99

Attributes

reg_key
5364b242e8892a314b968229a5ceac99
splitter
|'|'|

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\svchost.exe,explorer.exe"	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

444 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2500 netsh.exe

pid	process
444	svchost.exe

pid	process
2500	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\svchost.exe"	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exe

description	pid	process	target process
PID 3040 set thread context of 3540	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 444 set thread context of 3032	444	svchost.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4896 3540 WerFault.exe RegSvcs.exe

pid	pid_target	process	target process
4896	3540	WerFault.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exe

pid	process
3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
444	svchost.exe
444	svchost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe
Token: 33	3032	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3032	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 3040 wrote to memory of 3540	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 3040 wrote to memory of 3540	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 3040 wrote to memory of 3540	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 3040 wrote to memory of 3540	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 3040 wrote to memory of 444	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	svchost.exe
PID 3040 wrote to memory of 444	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	svchost.exe
PID 3040 wrote to memory of 444	3040	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	svchost.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 444 wrote to memory of 3032	444	svchost.exe	RegSvcs.exe
PID 3032 wrote to memory of 2500	3032	RegSvcs.exe	netsh.exe
PID 3032 wrote to memory of 2500	3032	RegSvcs.exe	netsh.exe
PID 3032 wrote to memory of 2500	3032	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
"C:\Users\Admin\AppData\Local\Temp\6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 80
3⤵
- Program crash
PID:4896

C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "RegSvcs.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3540 -ip 3540
1⤵
PID:4904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
memory/444-134-0x0000000000000000-mapping.dmp

Download
memory/2500-140-0x0000000000000000-mapping.dmp

Download
memory/3032-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-137-0x0000000000000000-mapping.dmp

Download
memory/3032-139-0x00000000741E0000-0x0000000074791000-memory.dmp

Filesize
5.7MB

Download
memory/3032-141-0x00000000741E0000-0x0000000074791000-memory.dmp

Filesize
5.7MB

Download
memory/3540-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads